Analysis

  • max time kernel
    119s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 03:30

General

  • Target

    30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe

  • Size

    2.6MB

  • MD5

    9de6fa8f790d4cc461b260907f377ed0

  • SHA1

    87caef779744371cc0f5cb9a2ec912f5b6a9f80d

  • SHA256

    30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50

  • SHA512

    c19917e2a5bf5a9953e48e7f0e4d30c328cde4094425e2090be0f2187e7f935325936e6aeb66b1e0e6c4542865f6a4985b08b06a3967d5e43d5b8f257085d1ed

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LByB/bS:sxX7QnxrloE5dpUpRb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
    "C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:5024
    • C:\UserDot7Y\devoptisys.exe
      C:\UserDot7Y\devoptisys.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintQL\dobasys.exe

    Filesize

    2.6MB

    MD5

    f57b426268fa0ba166d8bac35a663008

    SHA1

    813ae1e3ea4918704af55f395b3bfde63d6f1966

    SHA256

    7e6821e920875b2c3a32caa03de7658e00726dc1860bbe21943489fb95834fe1

    SHA512

    d335b7b09c8f38afc17160d00a3272b59354b914908a0f6aba7a4b86a8c8b9082d7f8f3caad4e35bb2886c7c621db0cc124bb7fe2a07fd15f378c09cec9f2ef7

  • C:\MintQL\dobasys.exe

    Filesize

    2.6MB

    MD5

    b608991e294a6491557bff168c697a31

    SHA1

    48c751535e6745b4ef30fb9ec758245769a3c6b3

    SHA256

    ddb40df2c664917d94d71cbd08abd6f6b40ce9000b579d4971dc089acb8c9680

    SHA512

    2ff1dea59c82ed4e4e92280269946e379451a49b2dce51147774471012312e543101a96134b1b77da7a87a8a245f6896a88f75bee4a78a237a109cd8f53a5a1a

  • C:\UserDot7Y\devoptisys.exe

    Filesize

    2.6MB

    MD5

    c197b96d4aaf6a94d8c9d5e8eaa46647

    SHA1

    6a5d202d5c12f92ed08c4e3173e8076b30599e68

    SHA256

    c1f0ac365490dcd4bb79e6fbbb426a12096d0d117fdcacf38da111f17366b8be

    SHA512

    982ea75660b8c55cf14fe2ee62c499eb526f3026aafc6a74a6d32c0f3a52de610668874c9718769e8d027b547fe20cd043415c6f30956342e6261f31117096b6

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    204B

    MD5

    2f978ab78172161cfcfd62406c2e00b9

    SHA1

    40be35cb79953631020336baf50a0b2d54c198ad

    SHA256

    acc0e2f1a3d20cfefaeddff8f64644466905ca618b310e67c2ded09ca1b0988e

    SHA512

    ede343473b6a11e8cafd669b0fc1fa658ea0c028bed54435d26248c7cc9b5833a955a563bb042c72f0e5d77fd5ad6d0c2ee1a07526f26fc1d1fa6c96695aae5b

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    172B

    MD5

    367928d6d11135c9f817103762279199

    SHA1

    b7a53b71f840624a15d8ecc5d76c4879229fab02

    SHA256

    40bc32f3aacd60013cb4196ef781dfbde62f45ba9c6120bfa11b6b1bbb728a1f

    SHA512

    7e572f627bbcfc0fff110e4bfcc34791f0b099408c3a7733f1aa33bc2d19a3992431249b15b1303b12ddca578afa8821a2ea504ddf1c6b36c1f5544f264e86e5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe

    Filesize

    2.6MB

    MD5

    36029b303afea72101cf411e51e3397b

    SHA1

    f2fee78488eeb32b1923e56548c395dfda0e424d

    SHA256

    5ca064ac40f7b36bc76b8253b93e9114675b6dc8210e358ab05ac6b14d44c194

    SHA512

    4e19c067842eafd72ff585c59dc44e8457f0543a6721878d73e72958aaafae13428b1211d48916fa2c02e0731b1d2ac752f2af78e761b2254e20dd49c930d5fe